Difference between Client and User-Agent

Question

What is the difference between a Client, User-Agent and Resource Owner in OAuth 2.0 definitions?

What are some examples for each term? (browser, user, ...)

Answer 1

The user agent is a browser or mobile application via which the user (resource owner) communicates to the authorization server. The client is the application code that wants to access the resources of the user on the resource server.

Now the client can live on a server (like a web application) or on the device (mobile app) or in the browser (JavaScript app). If the client lives on the server, it's considered a confidential client (can keep secrets). If it lives on the device or in the browser, it's a public client.

What type of client you have, determines which OAuth grants to use. On public clients, you cannot have the client itself authenticate with the authorization server (only the user is authenticated) and therefore you can't get refresh tokens from the authorization server.

Answer 2

User Agent is the browser.

Client is the code running on the end user side, which may or may not be running in the browser. Client uses the browser (user agent) to login. The idea here is that users should trust the browser with their credentials, whereas they should not trust native client code. Example at the end.

Resource owner is the user who authorizes an application to access resources (data) from their account.

Example: Suppose you have a slideshow app (the client) on your ipad that wants to access your Flickr photos. This slideshow app was developed by MysteriousAppDeveloper Inc. If that app asked you (the resource owner) to provide your Flickr credentials so that it can access your photos, then you, being a security-wise user, would not do so: you have no idea what that app might do with your credentials. Luckily, rather than asking for your credentials, it instead brings forward your ipad browser (your user agent), which you trust, to login to Flickr. You login to flickr via your browser, and then the slideshow ipad app requests access to your Flickr photos. You grant the access, and then that app can present a slideshow of your images (including images with access restrictions) without ever accessing your password. You sleep well at night knowing that the slideshow app did not take your credentials and do something naughty with them.

The Oauth spec is not well motivated, in my opinion. The whole point of the protocol is that users should not trust arbitrary applications with their credentials. Instead, you should restrict your trust to applications like browsers which everybody depends upon anyway. The protocol requires users to understand this to be effective.